Methods Business and Digital Technology Limited
Amazon Route 53 is a highly available and scalable cloud Domain Name System web service, giving developers and businesses a reliable and cost effective way to route users to Internet applications by translating names (e.g. www.example.com)into numeric IP addresses(e.g. 192.0.2.1 that computers use to connect to each
other.
//aws.amazon.com/route53/
//aws.amazon.com/route53
Features
- Suitable for OFFICIAL
- Available in the London Region, 4 EU Regions and internationally
- NCSC Cloud Security Principles aligned, Security Cleared (SC) staff available
- Connectivity options: N3, HSCN, PSN, Police (ex-PNN), Janet, RLi, others
- Deploy into automated Infrastructure-as-a-Service (IaaS), (PaaS) architectures
- Highly available, distributed, reliable DNS infrastructure
- Highly scalable, simple, fast service
- Service discovery supports development of micro-services architectures
- Programmatically integrate Route 53 API into overall web application
- Manage custom domain names without exposing DNS data
Benefits
- Integrated role-based access control across all AWS services (IAM)
- Comprehensive, cross service API audit logging and security (CloudTrail)
- Integration with other AWS services (24x7 support and consolidated billing)
- Training and architectural patterns/guidance (well architected)
- Easy-to-use, cost-effective global traffic management
- Latency-based routing for multi-region service provisioning
- Geo DNS allows routing based on users geographic location
- Private DNS for Amazon VPC with custom domain names
- DNS failover, health checks, monitoring, alerting
- Domain name registrations, zone apex support
Service documents
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at . Tell them what format you need. It will help if you say what assistive technology you use.
The Domain Name System (DNS) is a global infrastructure that translates human-readable hostnames into IP addresses. Organizations using Amazon Web Services (AWS) are running machines in the cloud, and need a mechanism to translate user requests into the correct Amazon IP address. On the cloud, IP addresses can frequently change, as services move between physical machines and data centers. An AWS DNS solution must be able to
adapt to these changes and propagate them quickly to DNS clients. Amazon’s official DNS solution is called Route 53. Route 53 is a managed DNS service from Amazon Web Services, intended for managing DNS for machines and services deployed on Amazon’s
public cloud. Route 53 connects user requests to infrastructure running on AWS, such as Amazon EC2 instances, ELB load balancers or Amazon S3 buckets. AWS charges several monthly rates depending on your usage: In April 2018, Russian hackers conducted a BGP attack against the Amazon Route 53 service, and hijacked 1,300 IP addresses owned by AWS
and using Route 53 for DNS. The victim was a cryptocurrency website—hackers managed to redirect users to a spoofed duplicate site, and steal $160,000 in cryptocurrency. What is Amazon Web Services DNS?
What is Amazon Route 53?
Route 53 Key Features
Route 53 Pricing
Security
Industry experts said that deploying DNSSEC (secure DNS) and HSTS (Google’s new, secure transport protocol) would have prevented users from being sent to a fake site.could have prevented the attack. At the time of this writing, Route 53 does not support either of these services, making it potentially vulnerable to attack.
How Amazon’s DNS Service Works
Image Source
When a user accesses a web server using Route 53 DNS, the following process occurs:
- A user accesses www.example.com, an address managed by Route 53, which leads to a machine on AWS.
- The request for www.example.com is routed to the user’s DNS resolver (typically managed by the ISP or local network), and is forwarded to a DNS root server.
- The DNS resolver forwards the request to the TLD name servers for “.com” domains.
- The resolver obtains the authoritative name server for the domain—these will be four Amazon Route 53 name servers that host the domain’s DNS zone.
- The DNS resolver chooses one of the four Route 53 servers, and requests details for the hostname “www.example.com”.
- The Route 53 name server looks in the DNS zone for www.example.com, gets the IP address and other relevant information, and returns it to the DNS resolver.
- The DNS resolver returns the IP address to the user’s web browser, and also caches it locally, as specified by the Time to Live (TTL) parameter.
- The browser contacts the web server or other Amazon-hosted services using the IP address provided by the resolver.
- The website is displayed on the user’s web browser.
Amazon Route 53 Limitations
Amazon Route 53 is a robust DNS service with advanced features, but it has several important limitations:
- Route 53 private endpoints are not available over VPN/DirectConnect. When a private zone is created and associated with a VPC, Route 53 creates a DNS endpoint for that VPC. A forwarder is required so that on-premise clients can resolve records in a Route 53 hosted zone, however the Route 53 private endpoint address for the VPC is not routable across VPN or DirectConnect.
- Route 53 provides no forwarding or conditional forwarding options for domains used on an on-premise network.
- Route 53 does not support private zone transfers, for example, if you have the root level domain “example.com” registered somewhere, you cannot appoint Route 53 as the authoritative source for “cloud.example.com”.
You can implement several workarounds for forwarding Route 53 DNS queries to external servers—but this will still incur latency, because the requests must contact Amazon infrastructure first, and are only then forwarded to the external server.
In addition, at the time of this writing, Amazon Route 53 does not support the DNSSEC standard, which digitally signs DNS records to ensure they are identical to the information published by the DNS name server. DNSSEC can prevent several types of DNS attacks, including man in the middle (MITM) attacks.
AWS DNS Alternatives
While Route 53 is a natural option for managing DNS in Amazon’s ecosystem, it is possible to use third-party DNS providers. However, you need to make sure that your DNS provider is able to intelligently route traffic to the optimal endpoint, data center or geography in the same way that Route 53 does.
NS1 is a next-generation managed DNS service with advanced traffic routing capabilities. It uses a fast global network of DNS servers, and provides advanced capabilities such as anycast networking, point-and-click traffic management and data-driven content delivery.
NS1 provides a REST API and built-in integration with deployment and automation tools, allowing you to provide up-to-date information about your AWS servers, their physical location, data center, load, availability, and more. NS1 can then route traffic according to these parameters, provided in real time.
This means NS1 can provide similar features to Route 53—latency-based routing, geographic routing, health checks and DNS failover—and much more, because it allows you to route traffic based on any server attribute or traffic condition. Contact us for a demo to see how NS1 can help you manage traffic on AWS without the limitations of Route 53.